Yet another disgraceful example of data loss by councils

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.bigbrotherwatch.org.uk/home/2010/07/yet-another-disgraceful-example-of-data-loss-by-councils.html

Over at the ICO, a press release that should send a shiver up the
spine of any resident of the following areas (and probably the rest of
us too, given the slack behaviour it suggests):

Over 9,000 child details put at risk by councils

The Information Commissioner’s Office (ICO) has taken action against
the London Borough of Barnet, West Sussex County Council and
Buckinghamshire County Council for breaching the Data Protection Act.
A systemic lack of staff training on how to handle personal
information has led to the loss of sensitive personal information
relating to thousands of children.

Sally-Anne Poole, Enforcement Group Manager at the ICO, said: “These
three councils have shown a poor regard for the importance of
protecting children’s personal information. It is essential that
councils ensure the correct preventative safeguards are in place when
storing and transferring personal information, especially when it
concerns sensitive information relating to children. A lack of
awareness and training in data protection requirements can lead to
personal information falling into the wrong hands.”

A theft from the home of an employee of the London Borough of Barnet
was reported by the council. An unencrypted, non-password protected
USB stick and CDs containing the sensitive personal information of
over 9,000 children and members of their families were taken. An
employee had downloaded the data onto the unencrypted devices without
any authorisation to do so, although it was later revealed that there
was no training provided or security in place to prevent such
downloads. The ICO had conducted an audit of the London Borough of
Barnet prior to this incident that had also highlighted this lack of
staff training.

West Sussex County Council had a laptop stolen, also from the home of
an employee, which contained sensitive personal data relating to an
unknown number of children and families involved in childcare
proceedings. The laptop was unencrypted and enquiries by the ICO
revealed that the employee had not received any formal data
protection/IT security training. It was also discovered that over
2,300 unencrypted laptops were likely to be still in use across the
council’s various services, although steps are now being taken to
encrypt these.

Buckinghamshire County Council provided a report regarding the loss,
at Heathrow Airport, of documents containing sensitive personal data
relating to two children. The documents were in a plastic wallet
belonging to a council social work employee who was travelling to
another UK city in connection with the children’s social care case.
After further analysis by the ICO, it was apparent that no real
thought had been given to the security of this personal data during
travel. It was also revealed that some of the council’s policies
needed revision and that staff training in data protection was
insufficient.

The ICO has found all three councils in breach of the DPA.

This is extremely worrying. Children are entitled to privacy just like
adults: these authorities have had scant regard for the safety of
their private information.

Whilst I applaud the ICO for naming and shaming the councils, to get
real change in the culture of contempt for privacy on show here the
Commissioner should be able to order or recommend dismissal of
individual personnel.

This is the data loss we know about. Residents with children must be
wondering - What else has been lost by these councils?

Remember of course that national government is just as bad as local
government - in 2006 the DWP lost the entire child benefit database,
containing the very private details of some 25 million people.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php